CustosServices // three engagements
From "are we compliant?" to a system in production.
Three engagements that build on each other. Start where you are. Each one stands alone and feeds the next.
POPIA AI Readiness Assessment
A structured audit of your AI workloads against the SA regulatory frame. The fastest way to know where you actually stand.
What's included
- + Data-flow map of every AI workload touching personal information
- + POPIA Section 72 and Section 26 exposure analysis
- + Sector-specific review (SARB Directive 3, SAM, CMS) as applicable
- + A prioritised remediation path, written for both legal and engineering
Deliverable
A board-ready assessment report and a one-page architecture risk summary.
Who it's for
A CIO or CRO who has been asked "is our AI POPIA-compliant?" and needs a defensible answer.
Sovereign Reference Architecture
A documented, deployable architecture for one priority AI use case, designed to satisfy the regulation by construction.
What's included
- + Target architecture for one use case (e.g. claims RAG, AML monitoring)
- + Deployment pattern selection: on-prem, sovereign cloud, or hybrid
- + Controls for logging, vector stores, and inference state
- + A design document your legal and risk teams can sign off on
Deliverable
A reference architecture document and diagram set, plus a build estimate.
Who it's for
A team that knows its exposure and needs a concrete, compliant design to build toward.
Build & Integrate
Implementation of the reference architecture: a working, observable, sovereign AI system integrated into your stack.
What's included
- + vLLM / sovereign inference setup on chosen infrastructure
- + Retrieval pipeline with PII controls at every layer
- + Observability, audit logging, and evaluation harness
- + Handover documentation and team enablement
Deliverable
A production-grade system, the runbook, and the audit trail to prove it.
Who it's for
A team ready to deploy and that wants the compliance built in, not bolted on.
Not sure which one you need?
Most engagements start with a 25-minute working session. No pitch. We figure out where you actually are.